Posted
by
timothyon Wednesday December 03, 2003 @01:20AM
from the don't-tell-all-your-friends dept.

cpudney writes "According to this article in NEWS.com.au, Telstra BigPond, Australia's largest ISP will monitor its customers' e-mails and suspend the accounts of users suspected of sending spam, viruses or denial-of-service attacks. Under changes to its Acceptable Use Policy, BigPond will investigate cable and ADSL Internet customers sending more than 20 e-mails in a 10-minute period, and BigPond management "may suspend the (user's) account while the customer is contacted" if they are suspected of sending spam. Previously, BigPond's definition of spam was held to be 400 messages sent over a 15-minute period and now it's changed to 20 e-mails over 10 minutes. Internet Society of Australia president Tony Hill said BigPond's new definition of spam was very restrictive and he was concerned the limit had been set too low for legitimate e-mail users."

They're only going to investigate those people, not disable their accounts. If they look at it and see that they sent legitimate messages because they just pop on to send e-mail, they'll be find and their ISP will move on. At least this should make the net big enough to actively catch spammers eariler.

You mean some poor sod at Telstra is going to check the email habits of the 1.5 million old age pensioners who log on for two minutes a day to send 30 emails, download their 30 email messages from their friends and then log off.

If you read a little better, this is only for ADSL and Cable customers, why they would read offline (Unless they have a notebook or something) when on ADSL or Cable it doesn't matter if they are online or not?

On top of the previous posters comment regarding it only being investigated and not an automatic immediate suspension.

I hope they at least contact the user before shutting off service. I can think of many legitimate reasons to send 20 e-mails in 10 minutes. My adress book has many times that, and sending a CC to a fraction of my adress book would trip this.

Might be over-reacting. I RTFA, and it's peppered with "mights" and "maybes". I'd wager that hitting the limit of emails in a certain time period is only going to make them put a magnifying glass on you for a while. They have access to enough information to ascertain whether you are sending legitimate emails or spam, that's for sure.

As a side benefit, this will help them help their customers that get hit with email worms... some people may not even know they are spamming, no?

2 Path. a A morbid principle or poisonous substance produced in
the body as the result of some disease, esp. one capable of being
introduced into other persons or animals by inoculations or otherwise
and of developing the same disease in them. Now superseded by the
next sense.

b Pl. viruses. An infectious organism that is usu. submicroscopic,
can multiply only inside certain living host cells (in many cases
causing disease) and is now understood to be a non-cellular structure
lacking any intrinsic metabolism and usually comprising a DNA or RNA
core inside a protein coat (see also quot. 1977). [ Formerly referred
to as filterable viruses, their first distinguishing characteristic
being the ability to pass through filters that retained bacteria. ]

Other sources that support viruses include Birchfield
(n Fowler:-) in Modern English Usage [train4publishing.co.uk] (3rd
Edition), and also the Cambridge Encyclopedia of the English Language [train4publishing.co.uk].
Classical Inflections
While one would hope that the authoritative sources cited above would
suffice, some writers prefer to maintain the classical inflections on
some English words, particularly in technical writing. For example,
conflicting indexes/indices and minimums/minima are both
easily found, depending on the intended audience and use. In that case, what's
the classical plural of virus?

The simple answer is that there
wasn't one. The longer answer follows.

Writers who, searching for a fancy plural to virus,
incorrectly write *viri are doubtless blindly
applying an overreaching -us => -i rule.
This mis-inflects many words.
For example,
status and hiatus only change the length of the final vowel;
genus goes to genera; corpus goes to corpora.
Others are even worse if this rule is mis-applied, like
syllabus,
caucus,
octopus,
mandamus,
and
rebus.

Anyway, Latin already had a word viri, but it was the nominative
plural not of virus (slime, poison, or venom), but of vir (man), which as
it turns out is also a 2nd declension noun. I do not believe that
writers of English who write viri are intentionally speaking
of men. And although there actually is a viri form for virus,
it's the genitive singular[1] [slashdot.org], not the nominative plural. And we
certainly don't grab for genitive singulars for the plurals when we've
started out with a nominative. Such hanky panky would certainly get
you talked about, and probably your hand slapped as well.

This may be both off topic, posted by an anonymous coward, and insanely long, but it should be modded up just so that the general slashdot population isn't denied the pleasure of witnessing the worlds most anal retentive pedant in action.

I've seen grammar nazis before but this is the most incredible thing I've personally ever witnessed.

I think that an email with a bunch of addresses in the CC: line is just one email. The more valid example is of people that compose off-line then send messages in a big burst. Except that local phone calls are a fixed price in Australia, so who still does this?

I hope there are some other triggers for this system, for example: Sending more than 20 email in 10 minutes The first time you log on to a new account would probably be more suspicious.

(Also, I think the comparison to/.'s two minute wait before posting is a very valid one.)

Maybe they should also add a standard that you have to send out X emails before you get more privileges. This way a spammer can't just leave an account idle & then start to use it. I suppose that he could just make a cron job to make him look active, but every little bit helps.

The more valid example is of people that compose off-line then send messages in a big burst. Except that local phone calls are a fixed price in Australia, so who still does this?

People with dialup who want to keep their only phone line free for incoming calls.

Yes, it's easy for those of us who have broadband (or, I suppose, those of us who don't get [m]any incoming calls,) to forget about the common hazards of dialup internet access. This isn't stone knives and bearskins; it's a legitimate choice be

I can tell you that contacting users before shutting them off is a very bad idea. It's very frequent that a user will have wrong contact info on file when you go to contact them...any time you try to wait to contact them you're almost always just delaying for the sake of somebody who knows nothing about their computer except that how to use word...for the sake of what! Notification == waste of time, 16 years experience agrees with me.

Never had to answer 20 emails?
Great.
Just hope you are online all the time and not coming back from a trip or something, where some emails may have acumulated in your outbox.
20 emails is VERY low - I am now going on a three day trip, and I can bet I will have 40-50 outgoing mails in my mailbox when I return, just waiting to hit our email server.
So, with their definition I would be in trouble.
WHOW.

Only if you replied to 20+ of them within the alotted time. Frankly, I don't think I could do that on purpose, let alone through casual email use.

Frankly, I don't see what's so bad about this. Not only would it make spamming harder through that ISP, but it'd also cut down on the damage caused by somebody who's machine is infected with a maliscious worm.

I think there are better ways they could approach this, but I'm not ready to knee-jerk into thisisev

Why is BigPond trying to identify a spammer from just 10 minutes of traffic. Or even just 15 minutes? I would think it would be much better to have a metric like 1000 emails in a single day. Or 10,000 emails over a week?

I can very easily go through 20 emails in 10 minutes just because I might be having one of those back-and-forth email conversations. I don't know if I could do 400 in a 15-minute period, unless I was running a mailing list (well, which I do, but that's why I use "personal" business ISPs).

This sort of metric just seems extremely silly. Is someone putting pressure on BigPond, or is one of their executives being an idiot?

The time scale is definately not too small. If the ISP wants to stop a spammer, he should do that as soon as possible (after 10 minutes or even earlier), not a day later, when 10.000.000 e-mails have already left the pc.
Once upon a time one of my servers was an open relay and got abused for a spam-run - I assure you: in 10 minutes the server will spout out several thousands of e-mails!
Kudos to Big-Pond!

Great..a slashdot style limit on time between posts.Now Telstra's customers are just missing the lameness filter and the moderation. The occasional dupe happens in email allready.Hm. There's a chance a lot of my work on Healthcare Informatics would be modded -1 Redundant and never reach my professor.

I couldn't tell from the article exactly how they were counting 20 emails (cc's or bcc's count? groups count?). But the fact that they monitor by email sending rate seems interesting. I think adding just one more step to that process could make it really useful.

1) Monitor all sources of emails in which large numbers are being sent over a short time period.

2) Allow a central repository for people to report which emails are considered spam. Once that amount reaches a certain threshold...

There's no reason for this. All an ISP needs to do is institute a policy whereby if someone is caught spamming, the cleanup charge is $20,000. They already have their credit card, all they need to do is charge it.

Under changes to its Acceptable Use Policy, BigPond will investigate cable and ADSL Internet customers sending more than 20 e-mails in a 10-minute period, and BigPond management "may suspend the (user's) account while the customer is contacted" if they are suspected of sending spam.

It doesn't say anywhere they they will suspend your account if you simply send 20 emails in 10 minutes. All it says is they may investigate users who do, and may suspend their account upon further investigation. I really don't see a huge deal with this, and there isn't any plausible reason to get angry with this policy if it is followed properly.

True. To me, this appears to be a way for BigPond to have some recourse in case a spammer decides to program his software to send 399 messages per 15minutes. There's no reason to expect it to be enforced very strictly, but like the rest of the AUP (at least the one from my ISP) it gives them some options in case there is "abuse".

It's not like there's an automatic suspension for exceeding the limit. They're just advising that 20 in ten minutes is the level that now prompts them to look more closely at. If they aren't stupid about it, it shouldn't be a problem.

Sure. And when enough of the investigations show a pattern of non-spam, maybe they'll scale it back, or discover some decent way to ignore the obviously non-spam. But it'll take humans to investigate these cases to decide what's necessary/worthwhile.

This is going to be a bit of a problem for people running things like majordomo and so on fromtheir home linux boxes.

If things have been set up to use the ISP's mail servers as relays, which you might do to save on bandwidth, it's going to get sticky. (Or does one message with a trillion addresses count as one message?)

Picture this: Telstra Bigpond email systems die again (just give it another week) and you cannot send out your email. You have 20 messages in your outbox waiting to be sent. Finally their systems come back on-line (for now) and you send all the emails only to get flagged as a spammer and denied to email again.

One of my uni lecturers uses Bigpond as his ISP. He also has his uni email accounts redirected to his Bigpond address. He had problems a while ago when Bigpond went down. He normally accepts assignments via email, but everything sent to him got delayed a few days. Thankfully he accepted assignments which had been sent to him on time, otherwise a lot of people would have inconvenienced.

This lecturer also has other responsibilities (I won't go into detail here) which require him to him to send out newsletters to all of the students in our department, plus international committees and a large number of university staff. We are a small department, but still have ~100 students. Sending out a student newsletter would trip the new email limit. I don't know how he's going to get around this from home (obviously he can send it using our uni mail server when he's at work).

Just another example of Bigpond not being up to scratch these days. I personally use a competing ISP, and have never had a problem. I don't know how Bigpond is going to keep its customers with shit like this.

I don't know how Bigpond is going to keep its customers with shit like this.

Telstra has all sorts of ways to try keep their customers. For example, misleading advertisements - they were forced to take some of their TV ads off the air by the ACCC. Or abusing their monopoly on the phone lines by lying about the availability of ADSL - they told a customer he was too far from the exchange when he wanted to get ADSL through another ISP, but was close enough for Bigpond. Then they threatened him when he talked!

I think there is only so far they can slide, however, before even the most uninformed consumers see the light. Their recent run of email brown outs must have been hard for even the most tolerant of users to ignore. This article [whirlpool.net.au] at whirpool suggests that people are finally starting to wake up.

Don't know much about Bigpond as a company(moved from Aussie well before anyone had ADSL or cable or even 14.4 modems), but if they go down I doubt it will be because of this. It's probably too strict and they will probably end up changing it, but spam is out of control and something has to be done to stop it.

Everyone here is usually all in favor of any sort unimplementable scheme to prevent spam and this one(with a bit of tweaking) might not be a bad idea. Admitedly some legitimate customers will be inconv

I don't know how he's going to get around this from home (obviously he can send it using our uni mail server when he's at work).

Plenty of possibilities:

1) stagger sending - send 15 every 10 minutes. A real pain, but it'll work, unless they lower the limit again2) have an alias set up on the uni mail server, that expands to all the relevant users, and send a single mail to it3) have a mailing list set up on the uni mail server, and send a single mail to it4) set up a modem on a machine in his office, and

It's been reported that SpamCop is paying upwards to $30K / year for bandwidth as a direct cause of the continous DDOS attacks on it.

The spammers are doing everything they can to squeeze the anti-spammers out. They use frivolous lawsuits (aka Mark Felstein and his porn spamming backers) or DDOS attacks that either knock the anti-spam resources off completely or increase the costs so that no hobbyist can run them.

And while all this is going on, the law enforcement agencies are doing nothing to counter the clearly illegal acts of the spammers.

And ISPs are doing NOTHING to reduce the number of zombies on their networks. So the DDOS attacks continue.

Nice going.

It's only a matter of time when someone (Al Queda?) will use the zombie network for something that will truly be noticed.

DDoSers have to have a control system. (What good are all those zombies if you can't point them at a target?) Tracking them back from a zombie isn't as easy as just following the wire, but it isn't impossible.

It does take more resources than most anti-spammers have. A little help from law enforcement would be nice -- hopefully before someone uses the same technique to take down something else other than "just that anti-spam stuff".

Well, people have the option of voting with their wallet and taking their money elsewhere. Australia has tonnes of ISP. Bigpond imposes ridiculous limits, I move to Optus [optus.com.au] and if they screwup to Blue Planet [bluep.com].

I have an SMTP server running on my computer. I set it up a few years ago mainly to try to see how good a handle I had on how SMTP works, and I've continued to make use of it mainly so I can create my own Email aliases and help curb the amount of spam I get and keep track of its "real" origins... But setting it up was very little trouble for me. I grabbed a copy of sendmail, compiled it, spent a few hours figuring out how to configure it, registered an MX record with DHS Interna [dhs.org]

This isn't about stopping spam, serious spammers don't use their own accounts, they relay off others.

What it will sneak through under the cover of Spam hysteria is the following.

1) It will force budget business users onto more expensive corporate accounts.

2) It will stop people batching their email correspondence to miminise online time which in turn will reduce peak load on telstra and also bring in more money.

3) Less nasty but equally beneficient to Telstra it will allow them to stop worm riddled machines bogging down their email servers (Telstra are facing massive damages over the near collapse of their email infrastructure and associated business losses).

Come on guys, everyone knows what spam is. Its plain and simple. What this seems to be is a description of common behavior patterns of ppl who send spam. Thing is that this is going to have false hits. Filtering on content is really the only way to be sure (other thing nuking from orbit)

This is what you get for being a sheep and supporting your local (ex)Monopoly. No surprises here, none whatsoever.

Pain for many normal users? Sure!Likely to increase ISPs income? Sure!Actually going to make a *real* difference to professional spammers? Not likely!

Not much more than the usual big company thinking It's not important to solve the problem. It is only important that we convince the public we're working hard to solve the problem. (eg Microsoft and Security)

If someone is intent on sending out mass mailing spam, they have LOTS of ways to accomplish this and I'm guessing by having an ISP limit outgoing messages in an effort to reduce spam is not going to stop them.

This type of a system could be effective in detecting and disabling accounts that are infected, zombies or unintentially sending out spam. While it would be nice if everyone was a "good netizen" and maintained their systems and was security minded.. its not going to happen. A system like this, if it

Is Telstra really excessively dumb? I would guess not, so let's suppose for a moment that they aren't.

If they're not really really stupid, they might have thought: Gee, I wonder if there's any way to tell what's 3 standard deviations above the mean as far as peak mail sending rate is? Do we have, anywhere, a listing of all the emails that have been sent by our users? Preferably arranged in chronoligical order, with timestamps? If we had that, why all we'd have to do is a little grep and wc action, toss in some particularly ugly perl to aggregate the results, and we'd be able to figure out what normal is. From there, we'd be able to figure out what weird is. Once we know what weird is, we'll know which accounts we should take a closer look at.

I've gotta think they figured that out. After all, they have to have figured out how to count the mails per minute per user to be able to implement this (and their former rule), right?

Of course, it's possible they really are too dumb to look at their own server logs. Maybe they pulled this number out of some business weenie's ass during one of those catered lunch meetings in the big glass windowed room with the collossal oak table. If this is the case, then they'll get false positives by the cartload and they'll quickly be swamped in the acrid stench of their own foolishness.

I find the latter a little implausible. Telstra may be a big evil monopoly, but I don't think they're a big evil imbecilic monopoly.

I'd say that they're pretty dumb in that case. 3 standard deviations
assumes a normal distribution, which most likely is not the case. So anyone
doing such a statistical analysis as you suggest is not competent. The correct
distribution is likely to have long tails, and 3 standard deviations is the wrong quantity to monitor.

As many people have (rightly!) pointed out, I could easily send two emails a minute - if I get back from a few days away, I might have twenty emails to reply to, and I have Pegasus Mail set to send everything in one hit. Especially if they're counting the number of recipients, and not just the number of emails (which would make sense re spam!)

What I want to know is, how do they decide if you're sending spam or not? Do they read your email? If so, that's pretty serious - I'd be interested to know what th

If that happened here, I could only imagine the number of pseudo-mass-mailers that would have issues. You know, the people that send almost EVERYBODY WHOSE EMAIL ADDRESS THEY EVER HAD the greatest joke they read this morning, or funniest picture or....

Even I could get screwed over! After releasing a newsletter, which goes out upto 10 addresses (half in BCC), I get to hours old email, dashing through as much as I can, which tends to probably push the limit about once a month.

but then i could care less anyways. I got sick of Bigpond's massive outgoing spam, and their complete lack of a clue in responding to it, so i ended the problem permanently. For someone people, there's spam. For everyone else, there's iptables:) ( For the clue impaired, i firewalled all of bigpond's network off from my mail server)

Does bingpond intercept all SMTP connections? If not wouldn't it just be possible to buy a small hosting accounts with AUTH-SMTP and send out via that. The other choice would be to just setup an SSH tunnel on a non-standard port and tunnel to another SMTP server

This is probably common with all huge Telco ISPs the world over but I think that Bigpond themselves could do more to prevent tides of Spam originating from their customers... I think these mega ISPs have a "CPE" attitude that's left over from their Telco division - i.e. If it's beyond the equipment we provide - it's "Customer Premises Equipment" and we therefore, don't care.

Bigpond could install heavy default firewalling (especially ports 80 and 25) to protect against people who install default operating systems with Christmas tree options or are infected with spamware so they readily become spam relays and force customers to use ISP provided gateway servers. Better yet, ask customers to knowingly switch off their ISP firewalling if they're providing a legitimate Internet service. (and therefore prove that they know what they're doing)

The end days of open-slather unfirewalled broadband accounts for "Mum and Dad" Internet users is long overdue.

The conspiracy theorists claim that because Bigpond charges customers per Mb for both incoming and outgoing traffic, they really don't care if their customers are open-proxy spam relays because they'll be hit with a bill for the traffic "they've" used at the end of it. That's probably extreme, it's more than likely that they just don't care or have the technical/human resources to do anything about it...

If ISP's run spam filters (eg spam assassin) in their incoming servers, why doesn't BigPond run one on it's out going servers. Any emails with subjects like "G%@fasas!!131ah@#@ you wife will love this!" and etc should warrant a closer look. Or how about when their email servers receive about 3000 bounced emails for the same account in an hour.

If I send email to more than five people then the mail that was cc'd to someone with a RR account gets bounced. Apparently RR thinks if your mailing more than five people your running a mailing list and they want the person receiving it to verify they agreed to the mailing list to them, (that is, Road Runner).

I object to this for several reasons:

I come from a family of eleven children most of whom have five or more children so if we try to arrange things via email for the holidays we end up having much of our email bounced.

Why should I, or anyone else, have to let RR know what email lists we subscribe to? Sorry, this is too big brotherish for me.

Finally, there has to be better ways to stop spam. This seems too "designed by a committee" stupid.

It is simple... enable Spamassassin not just for incoming mail, but for outgoing mail too.

Then calculate the scores of each user. If a particular user is sending lots of email that Spamassassin is "scoring" highly, then it is likely that the user is spamming or at least sending out spammy emails, and would warrent a closer look.

This would increase the load on outgoing mail servers, but if they want to do this right, and do it much more automated than manually reviewing everyone that sends "X emails in X m

There was an article, featured on Slashdot, quite some time ago, which could be applied here. The thought was that if an identified spammer tries to send to your SMTP server, the service would be slowed down.

To protect both the ISP and the innocent, they could implement a feature where after 20 mails in 10 minutes, mails would only be processed at the speed of, say, one mail per 30 seconds, and maybe slowing progressively after each 100 mails. When the mail pipe has been silent for a given amout of time, say ten minutes, the "mail slower" would be reset.

This wouldn't make much difference for the legit home user but for the spammer (and for a business connection) it would be a tar pit to avoid.

This could probably be implemented just by installing a crappier mail server;)

If I had to set up a community listserver on my private account. As well as any e-mail auto-forwarding. When I go online, I get 20 incoming e-mails and thus 20*n outgoing e-mail messages in a short period of time.

I am a bigpond user. and i know that for many users this is a godsend!
you see bigpond has very restrivtive and long contracts which cost a lot to buy out of. this gives us the chance to get out of our contract without paying the fee.
also... bigpond has the worst spam of any network in the world...simply because they have incompetent staff. this won't stop it.

I'd really not mind at all, to be honest, if my ISP protected me from spammers by putting a hold on my mail if I sent too much within ten minutes. It will indeed affect them most with recurring offline batch users such as myself -- and I'm alright with that.

that I have on my ADSL, so I am happy that I am not living there.
Some ISP's have blocked port 25 on ADSL connections. But I would rather prefer if it was open and then they should be more than welcome to block it if people started to send spam. and charge 100$ to open it again.

Ignore the frequency of email. If you are going to go digging into the details of your subscriber's emails, perform a one way hash on all of the recipient addresses and simply count the number of unique recipients in the last month (storing only the hash ensures privacy). More than 1000 - spammer. No spammer could make much money spamming less than 1000 people.

Granted, this is going to add some processing and storage overhead, but it could be done offline, and the statistics gathered used to suspend accounts once a day.

I can send 20 messages in 10 minutes. I usually check my email at 7 AM when I get into the office. Many times its emails like "Can you update this item on my webpage". At the end of the day, say about 4PM. I will reply to these messages with a simple: Done, you have X hours of tech support left this month and I can send out 15 - 20 in 5 minutes easy.

400 in 15 minutes, yeah, that looks odd and should be checked into. 20 in 10...that's not too hard.

Why is it "odd" to send 400 in 15 minutes, but not odd to send 20-60 in that same time period? The numbers are all totally arbitrary, it's just that yours is 60 and "normal" and the original limit happened to be 400.

Granted, I understand implicitly what you're saying: they're not allowing for "odd looking but unsustained spikes" such as offliners or batch responders (like yourself). Best to explicitly point this things o

I am a teaching assistant for a programming class at a university. Most of the questions I recieve in email from students can be answered in about a minute. If I get 11 questions, and I answer them right away, then...

How many people do you know who like to forward anything and everything to everyone in their address book? It's not spam, but one message often has more than 20 recipients. The question is, are they counting messages going out, or destination addresses?

This IS spam in my opinion. My favorite one is some friends that e-mail me the same thing over and over. Basically it goes like this...they see it, they send it, they forget about it then they send it again and repeat. Honestly...how many times do I have ot see sea life form the seal of the United States?

Check this out, I straight up replied to my girlfriend's mom when she forwarded me a joke I saw on USENET seven years ago or so and asked her not to send me any of that shit. We are still friends, and she doesn't send me crappy emails. I told her about Bcc: too, though I have no idea if she uses it... because she doesn't send me that crap anymore.

Anyway I just don't have friends like that in general, because that kind of person pisses me off. If they start sending me email I get annoyed and then I start b

Sometimes, yes. A few of my friends don't run IM, and a few of my other friends decide it's time to contact them, and we all get CCd, of course after a few minutes, a select subgroup of the gang who are always online starts replying. And then replying to each other. And thanks to mutt are able to completely saturate each other's pipes and spamassassins.

Seems like a reasonable compromise to help eliminate spam. If you are sending out more than that, you probably should pay for a commercial account of some kind, or a mailing service.

I smell a troll here, but I'll bite anyway.

"Reasonable?" I guess you don't run any mailing lists. I'm the webmaster for the local homebrew club [alfter.us]. Some of our members opt to not have dead-tree newsletters mailed to them; instead, they receive notification in the mail that this month's newsletter is up on the website. I u